Debug logging in OpenAPI provider can expose auth headers #3427
Description
In `src/fastmcp/server/providers/openapi/components.py` line 186, debug logging includes the full request headers:
```python
logger.debug(f"run - sending request; headers: {request.headers}")
```
This logs auth headers (Authorization, X-API-Key, etc.) in plaintext at debug level. While debug logging isn't enabled by default, debug logs are often captured in production logging systems and can leak credentials.
Fix: Redact sensitive headers before logging:
```python
SENSITIVE_HEADERS = {"authorization", "x-api-key", "cookie", "proxy-authorization"}
def _redact_headers(headers):
return {
k: "***" if k.lower() in SENSITIVE_HEADERS else v
for k, v in headers.items()
}
logger.debug(f"run - sending request; headers: {_redact_headers(request.headers)}")
```